During our daily threat hunting activities in our 4000+ customer base, we have gained an intimate understanding of the adversaries behind the threats. This unique insight has been organized by our hunters and security researchers to create threat activity clusters. By clustering these adversaries, we know how to better mitigate the threat they present.
Activity clusters separate adversaries into distinct threat group “flavors.” Once understood, the threat posed become manageable, and we believe they should have a suitably unintimidating identifier. So, what could be less intimidating than ice cream?
To learn more about Project Ice Cream, read the series’ introductory blog here.
Our first threat activity cluster identified in Project Ice Cream is Mint. This is a flavor of attackers which uses remote code execution exploits (RCE) targeting Linux machines to upload crypto miners to vulnerable Linux systems.
Mint Timeline
Mint’s actions had been observed previously, but we first started paying close attention to them as a threat group at the beginning of January 2020 when they began a campaign exploiting CVE-2019-19781, a vulnerability discovered in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. It allowed an attacker to remotely execute code without the need for any precursors, such as authentication into the system.
Unauthenticated RCEs are always the most serious of vulnerabilities, as it grants an attacker immediate control over a system in seconds, with no prerequisites required.
The vulnerability was on the radar of Alert Logic researchers and threat hunters when it was announced on December 17, 2019. As a result, wideband telemetry signatures were deployed and flagged as a candidate for hunts. Like all wideband hunting telemetry, they captured an excessive amount of benign information as the net is cast wide. These signatures captured network data (full payload capture), so our SOC threat experts (TSX) could sift through the requests and responses sent to and from the Citrix devices. This creates a feedback loop that allows threat researchers to refine the telemetry signatures.
Initial reviews of these signatures did not yield any results. It was only after January 10, 2020, where a PoC was publicly available, that we started to see our customers getting targeted with the exploit. This a common pattern, as initially very few know the specific method to successfully exploit a vulnerability, even though both attackers and defenders may be aware a vulnerability exists in a system.
Regardless, once it is out there, malicious actors use the PoC string and create derivatives to exploit and avoid detection or prevention.
The Mint Ice Cream flavor was first confirmed when an Alert Logic threat hunter identified a malware dropper with a naming convention related to the Citrix RCE and following a two-character “XX.sh” naming formula. It was then verified that the infected machine was a Citrix ADC. The dropper sought to kill any miners already present, setting up persistence mechanisms via Cron Jobs, before dropping an Executable and Linkable Format (ELF), to begin mining crypto currency (XMRIG miner).
We observed similar activity in April 2020 as part of the SaltStack campaign, although an interesting new tactic was discovered once access has been gained using the SaltStack RCE.
Mint TTP Evolution
Attackers evolve as they attempt to evade security controls and interestingly, this time, the ELF contained the whole of Shakespeare’s Hamlet amongst the code. While fun, the Shakespearean tragedy is likely to have served as a padder, meaning analytical tools would see the file as mostly benign, as the majority was un-executable text. This meant that tools which flag/block based on the percentage of malicious content identified, would not be confident enough to block the file. Considering their goal, it is no wonder they chose Shakespeare’s longest play.
“Though this be madness, yet there is method in’t.”
– Hamlet Act 2, Scene 2, 193-206
The tactical evolution became part of the Mint strategy. It was observed again in October 2020 when the Oracle WebLogic RCE was discovered, and in August 2021, exploiting the Atlassian Confluence flaw.
The activity we observed involves Russian IP addresses throughout, with IP addresses associated to former Soviet states involved in the installation phases. While this information is helpful for tracking and hunting activity related to this flavor, it is important to emphasize this is not attribution to a nation, as IP addresses can be easily spoofed.
Their overall objective has been to install crypto miners onto vulnerable systems, hijacking their compute power to provide a steady stream of cryptocurrency to the attackers’ wallets. We have referred to the ELF file internally as a GO-LNG Miner; however, it is widely known as Kinsing in the security community.
Mint continues to look for the latest RCE vulnerability to gain initial access. More recently, at the end of 2021 into 2022, this flavor was very active during the Log4j saga in an attempt to capitalize on the abundance of java-based applications likely to have been bundled with the vulnerable open source logging module.
Despite capitalizing on the latest exploit, hoping to catch vulnerable systems before the next patch cycle, and demonstrating the ability to adapt TTPs when necessary, elements of the subsequent techniques and actions are consistent. The same two configurations for mining have been consistently observed, alongside other common methods and indicators in the C2 and installation phases, allowing us to confidently cluster the activity under the flavor Mint.
Our understanding and routine tracking of this threat activity cluster has facilitated numerous detections and remediation plans for this group in our customer base.
Known Exploits Used
- Kubernetes misconfigurations
- CVE-2017-9841 – PHP Eval
- CVE-2019-9082 – ThinkPHP
- CVE-2019-19781 – Citrix RCE
- CVE-2020-11651 – SaltStack Authentication Bypass
- CVE-2020-7961 – Liferay
- CVE-2020-5902 BIG-IP TMUI RCE Vulnerability
- CVE-2020-15505 – MobileIron Core & Connector
- CVE-2020-14882/CVE-2020-14750 – Web Logic
- CVE-2020-11854 – Micro Focus
- CVE-2021-3129 – Laravel Ignition
- CVE-2021-26084 – Confluence
- CVE-2021-41773 – Apache
TTPs
- Active Scanning – T1595 [recon]
- Exploit Public-Facing Application – T1190 [recon/delivery/exploit]
- Scheduled Task/Job: Cron – T1053.003 [inst persistence]
- Ingress Tool Transfer – T1105 [inst / C2]
- Application Layer Protocol – T1071 [C2]
- Resource hijacking – T1496 [AoO]
Targets
- Vulnerable and exposed servers
- Linux servers
- Indiscriminate of business sector
Actor/Flavor Infrastructure
- Russian ASOs used throughout
- Ex-Soviet state ASOs used during installation phase
Actions on Objectives
- Crypto mining (XMRIG)
Find out how Alert Logic can support your organization in tackling existing and emerging threats used by actors like Mint by scheduling a personalized MDR demo.
Additional Resources
Explore Alert Logic’s Project Ice Cream threat activity clusters blog series:
